fix: cleanup the KMS validation logic + other cleanup (#186)

BREAKING CHANGE: If you were using the legacy input variable `allowlist` to restrict network to a specific IP range, you will need to migrate to using Context Based Restrictions (CBRs) for this. For more info see [Protecting Cloud Databases resources with context-based restrictions](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-cbr&interface=ui)

Author: ocofaigh

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-05-05T07:46:50Z",
+  "generated_at": "2023-05-12T16:19:47Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -79,10 +79,10 @@
   "results": {
     "README.md": [
       {
-        "hashed_secret": "8acbd0ff478f744859b92e1251622e4124bceef0",
+        "hashed_secret": "ff9ee043d85595eb255c05dfe32ece02a53efbb2",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 24,
+        "line_number": 18,
         "type": "Secret Keyword",
         "verified_result": null
       }

README.md

@@ -1,6 +1,7 @@
-# Basic example
+# Basic with read-only replica example
 
 An end-to-end example that uses the module's default variable values. This example uses the IBM Cloud terraform provider to:
 
 - Create a new resource group if one is not passed in.
 - Create a new ICD Postgresql database instance.
+- Create a read-only replica of the leader Postgresql database instance. For more info on Read-only Replicas, see [Configuring Read-only Replicas](https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-read-only-replicas)

catalogValidationValues.json.template

@@ -21,3 +21,20 @@ module "postgresql_db" {
   region            = var.region
   resource_tags     = var.resource_tags
 }
+
+##############################################################################
+# ICD postgresql read-only-replica
+##############################################################################
+
+module "read_only_replica_postgresql_db" {
+  count             = var.read_only_replicas_count
+  source            = "../.."
+  resource_group_id = module.resource_group.resource_group_id
+  name              = "${var.prefix}-read-only-replica-${count.index}"
+  region            = var.region
+  resource_tags     = var.resource_tags
+  pg_version        = var.pg_version
+  remote_leader_crn = module.postgresql_db.crn
+  member_memory_mb  = 2304  # Must be an increment of 384 megabytes. The minimum size of a read-only replica is 2 GB RAM
+  member_disk_mb    = 10752 # Must be an increment of 1536 megabytes. The minimum size of a read-only replica is 10 GB of disk
+}

common-dev-assets

@@ -33,3 +33,16 @@ variable "resource_tags" {
   description = "Optional list of tags to be added to created resources"
   default     = []
 }
+
+variable "read_only_replicas_count" {
+  type        = number
+  description = "Number of read-only replicas per leader"
+  default     = 1
+  validation {
+    condition = alltrue([
+      var.read_only_replicas_count >= 1,
+      var.read_only_replicas_count <= 5
+    ])
+    error_message = "There is a limit of five read-only replicas per leader"
+  }
+}

examples/basic/README.md

@@ -1,12 +1,10 @@
-# Complete example with BYOK encryption, autoscaling, CBR rules, VPE creation and read-only replica provisioning
+# Complete example with BYOK encryption, autoscaling, CBR rules, VPE creation, and read-only replica provisioning
 
-An end-to-end example that uses the module's default variable values. This example uses the IBM Cloud terraform provider to:
+An end-to-end example that does the following:
 
 - Create a new resource group if one is not passed in.
-- Create a new ICD Postgresql database instance with auto-scaling (automatically increase resources) enabled.
 - Create Key Protect instance with root key.
-- Backend encryption using generated Key Protect key.
-- Create a Sample VPC.
-- Create Context Based Restriction(CBR) to only allow Postgresql to be accessible from the VPC.
-- Create a security group and a VPE for the postgres instance
-- Create a read-only replica of the leader Postgresql database instance.
+- Create a new ICD PostgreSQL database instance with auto-scaling and BYOK encryption enabled.
+- Create a Virtual Private Cloud (VPC).
+- Create Context Based Restriction (CBR) to only allow Postgresql to be accessible from the VPC.
+- Create a security group and a VPE for the PostgreSQL instance.

examples/basic/main.tf

@@ -14,7 +14,7 @@ module "resource_group" {
 ##############################################################################
 
 module "key_protect_all_inclusive" {
-  source            = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=v4.0.0"
+  source            = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=v4.1.0"
   resource_group_id = module.resource_group.resource_group_id
   # Note: Database instance and Key Protect must be created in the same region when using BYOK
   # See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok
@@ -67,16 +67,18 @@ module "cbr_zone" {
 ##############################################################################
 
 module "postgresql_db" {
-  source                   = "../../"
-  resource_group_id        = module.resource_group.resource_group_id
-  name                     = "${var.prefix}-postgres"
-  region                   = var.region
-  service_endpoints        = "private"
-  pg_version               = var.pg_version
-  kms_key_crn              = module.key_protect_all_inclusive.keys["icd-pg.${var.prefix}-pg"].crn
-  resource_tags            = var.resource_tags
-  service_credential_names = var.service_credential_names
-  auto_scaling             = var.auto_scaling
+  source                     = "../../"
+  resource_group_id          = module.resource_group.resource_group_id
+  name                       = "${var.prefix}-postgres"
+  region                     = var.region
+  service_endpoints          = "private"
+  pg_version                 = var.pg_version
+  kms_encryption_enabled     = true
+  kms_key_crn                = module.key_protect_all_inclusive.keys["icd-pg.${var.prefix}-pg"].crn
+  existing_kms_instance_guid = module.key_protect_all_inclusive.key_protect_guid
+  resource_tags              = var.resource_tags
+  service_credential_names   = var.service_credential_names
+  auto_scaling               = var.auto_scaling
   cbr_rules = [
     {
       description      = "${var.prefix}-postgres access only from vpc"
@@ -135,21 +137,3 @@ resource "time_sleep" "wait_30_seconds" {
   depends_on       = [ibm_is_security_group.sg1]
   destroy_duration = "30s"
 }
-
-##############################################################################
-# ICD postgresql read-only-replica
-##############################################################################
-
-module "read_only_replica_postgresql_db" {
-  count             = var.read_only_replicas_count
-  source            = "../.."
-  resource_group_id = module.resource_group.resource_group_id
-  name              = "${var.prefix}-read-only-replica-${count.index}"
-  region            = var.region
-  resource_tags     = var.resource_tags
-  pg_version        = var.pg_version
-  remote_leader_crn = module.postgresql_db.crn
-  member_memory_mb  = var.replica_member_memory_mb
-  member_disk_mb    = var.replica_member_disk_mb
-  member_cpu_count  = var.replica_member_cpu_count
-}

examples/basic/variables.tf

@@ -86,22 +86,8 @@ variable "auto_scaling" {
   }
 }
 
-variable "read_only_replicas_count" {
-  type        = number
-  description = "No of read-only replicas per leader"
-  default     = 1
-  validation {
-    condition = alltrue([
-      var.read_only_replicas_count >= 1,
-      var.read_only_replicas_count <= 5
-    ])
-    error_message = "There is a limit of five read-only replicas per leader"
-  }
-
-}
-
 variable "replica_member_memory_mb" {
-  type        = string
+  type        = number
   description = "Memory allocation required for postgresql read-only replica database"
   default     = "3072"
   validation {
@@ -114,7 +100,7 @@ variable "replica_member_memory_mb" {
 }
 
 variable "replica_member_disk_mb" {
-  type        = string
+  type        = number
   description = "Disk allocation required for postgresql read-only replica database"
   default     = "15360"
   validation {
@@ -127,7 +113,7 @@ variable "replica_member_disk_mb" {
 }
 
 variable "replica_member_cpu_count" {
-  type        = string
+  type        = number
   description = "CPU allocation required for the postgresql read-only replica database"
   default     = "9"
   validation {